Low Orbit Ion Cannon (LOIC)

What is the Low Orbit Ion Cannon?

The Low Orbit Ion Cannon (LOIC) is an open-source network stress testing application, often used by malicious actors and activists for DoS (denial-of-service) and DDoS (distributed denial-of-service) attacks. The tool was developed in 2010 by Praetox Technologies and then released into the public domain.

The LOIC application is available as open source for several operating systems: Microsoft Windows, Linux, OS X, Android, and iOS. There is also a JavaScript version (JS LOIC) that can be embedded in a page, and a web application that runs in a local web browser (Low Orbit Web Cannon).

The last official version of LOIC was published on Sourceforge in 2014 but the project is continued on GitHub as neweracracker/loic. The successor of LOIC is called the High Orbit Ion Cannon (HOIC). Both names are inspired by fictional weapons used in several video games, primarily Command & Conquer.

How does the Low Orbit Ion Cannon work?

The LOIC application sends a stream of TCP packets, UDP packets, or HTTP GET packets to a selected host or URL. Such an attack floods the target with the intent of exhausting its resources and making it unable to handle legitimate requests, resulting in a DoS attack. LOIC cannot send its attack traffic through proxies, so the IP address of the user is clearly visible to the target (stored in server logs).

A single person using LOIC will have very little performance impact, but many instances of the application may be run in parallel in hivemind mode. In this mode, attackers use an IRC (Internet Relay Chat) channel to coordinate and create a voluntary botnet where one participant runs a master instance controlling other users’ slave instances. If a sufficiently many users target the same server, it may experience a denial of service.

The Low Orbit Ion Cannon is a very basic attack tool that uses the simplest techniques. However, it is also very easy to install and use (including as part of the Kali Linux distribution), allowing hacktivist organizations to gather large numbers of people to participate in attacks. LOIC has been used for denial of service attacks organized by the 4Chan hacktivism group Anonymous against such companies as Mastercard and Paypal (Operation Payback linked to their opposition to WikiLeaks), as well as organizations such as the Church of Scientology (Project Chanology).

How to mitigate LOIC attacks?

LOIC does not rely on exploiting vulnerabilities, so web vulnerability scanners and network scanners are not effective at mitigating the risk of such DDoS attacks.

Web application firewalls (WAF) can provide some mitigation by detecting and blocking the part of LOIC attack traffic that uses HTTP GET requests. However, LOIC also sends TCP and UDP packets to flood services running on other ports than web servers and WAFs cannot help against this, as they only analyze HTTP traffic to protect websites, web applications, and APIs.

DoS/DDoS attempts are best throttled at the internet service provider level. If your web server is hosted in a cloud environment protected by a platform like Akamai or Cloudflare, such services have sufficient protection. The best way to mitigate a DDoS attack is to have an infrastructure that can handle a lot of traffic. If this is not possible, at least make sure you use the firewall to limit the number of connections per IP address in a given period.

How to prevent your website being used in a LOIC attack?

If your website or web application has vulnerabilities, it could be used as an agent (zombie) in a DDoS attack if attackers manage to install LOIC (or a similar application) in console mode and then control it using IRC. Since the LOIC tool is not typically considered malware, its presence on your server might go undetected.

If malicious actors are able to hack your site and get shell access (for example, using remote code execution), they could make your server participate in attacks. In addition, if you have pages vulnerable to cross-site scripting, the JS LOIC script might also be injected into your pages. Any user visiting that page could then unknowingly be made to participate in an attack.

The best way to protect against these additional risks is to eliminate any vulnerabilities that may lead to LOIC bots being injected into your systems.

Frequently asked questions

What is the Low Orbit Ion Cannon?

The Low Orbit Ion Cannon is a cybersecurity tool that can also be used by hacktivists and malicious hackers to conduct DoS/DDoS attacks. The tool works by flooding the target with TCP/UDP packets (network layer) or HTTP GET requests (application layer). A more advanced version of the tool also exists called High Orbit Ion Cannon.
Find out more about the High Orbit Ion Cannon

How dangerous is the Low Orbit Ion Cannon?

The Low Orbit Ion Cannon is as dangerous as any other cybersecurity tool in that it can be used equally well by security teams, white-hat hackers, or cybercriminals. Similar to other such tools, LOIC itself is not dangerous unless used with malicious intent.
Read more about the Low Orbit Ion Cannon on our blog

How to mitigate LOIC attacks?

Attacks conducted using the LOIC tool are simple request floods. They do not exploit any vulnerabilities, so typical DoS/DDoS protection mechanisms offered by hosting providers and load balancers are your best hope for mitigating such attacks. However, web vulnerabilities can make it possible for attackers to use your servers as bots in an LOIC-based attack, putting your reputation at risk.
Learn about the basics of eliminating web vulnerabilities

Written by: Tomasz Andrzej Nidecki, reviewed by: Zbigniew Banach